Day Microsoft has officially stopped supporting Windows 10 coincided with a Patch Tuesday update that contained several zero-day flaws that attackers could use to attack the older Windows operating system.
Among them is CVE-2025-24990, which covers outdated device driver which Microsoft has completely removed from Windows. “The active use of CVE-2025-24990 in the Agere modem driver (ltmdm64.sys) demonstrates the security risks associated with supporting legacy components on modern operating systems,” warned Ben McCarthy, lead cybersecurity engineer at Immersive.
“This driver, which supports hardware from the late 1990s and early 2000s, predates current secure development practices and has remained largely unchanged for many years,” he said. “Kernel mode drivers run with the highest system privileges, making them a prime target for attackers looking to expand their access.”
McCarthy said attackers are using this vulnerability as a second step in their operations. “The attack chain typically begins with the attacker gaining an initial foothold on the target system through common methods such as a phishing campaign, credential theft, or exploiting another vulnerability in a public application,” he said.
McCarthy added that Microsoft's decision to remove the driver entirely instead of releasing a patch is a direct response to the risks associated with changing unsupported third-party legacy code. “Attempts to patch such a component may be unreliable, potentially resulting in system instability or failing to fully address the root cause of the vulnerability,” he said.
By removing the driver from the Windows operating system, Microsoft prioritized reducing the attack surface over absolute backward compatibility, McCarthy said. “By removing the vulnerable and outdated component, the potential for this particular exploit is zero,” he said. “The security risk posed by the driver was determined to be greater than the requirement to continue to support the legacy hardware it serves.”
McCarthy said the approach demonstrates that an effective security strategy must include lifecycle management of old code, with removal often being more permanent and secure than patching.
Another zero-day vulnerability being patched involves the Trusted Platform Module from the Trusted Computing Group (TCG). Adam Barnett, lead software engineer at Rapid7, noted that the CVE-2025-2884 vulnerability affects the TPM 2.0 reference implementation, which under normal circumstances would likely be replicated in each vendor's subsequent implementation.
“Microsoft is treating this as a zero-day, despite the curious fact that Microsoft is a founding member of the TCG and therefore presumably involved in the discovery prior to its publication,” he said. “Windows 11 and newer versions of Windows Server are receiving fixes. Instead of fixes, administrators older Windows products such as Windows 10 and Server 2019 received another implicit reminder that Microsoft strongly prefers that everyone upgrade.”
One of the patches, classified as “critical,” has such a severe impact that some security experts are advising IT departments to install the patch immediately. McCarthy warned that the critical vulnerability CVE-2025-49708 in Microsoft's graphics component, although classified as a “privilege escalation” security issue, has serious real-world implications.
“This is a full-fledged virtual machine [VM] escape,” he said. “This vulnerability, with a CVSS score of 9.9, completely breaks the security boundary between a guest virtual machine and its host operating system.”
McCarthy urged organizations to prioritize fixing this vulnerability because it invalidates the core security promises associated with virtualization.
“A successful exploit means that an attacker with even low-privilege access to a single, non-critical guest virtual machine can break into and execute code with system privileges directly on the underlying host server,” he said. “This isolation flaw means that an attacker can then access, manipulate, or destroy data on any other virtual machine running on the same host, including mission-critical domain controllers, databases, or production applications.”
